What is Digg?Sponsored by Realtor.com
Top 5 most ridiculous properties sold for a single dollar view!
realtor.com - Looking for a deal on your next home? What if you could pay a dollar? What if it was a MLB stadium or a university?!?!?
91 Comments
- kodek, on 10/12/2007, -3/+68Second identity theft? :-)
- indyhouse, on 10/12/2007, -4/+65It should also be pointed out that Linden Labs sat on this information for two days before doing anything about it.
- AlexFitzsimmons, on 10/12/2007, -5/+35And lest it be lost in the shuffle, let's be abundantly clear: Linden Labs is solving this major issue by ... screwing off and going home for the weekend!
- inactive, on 10/12/2007, -2/+20And let's not forget they have the nice "No security question on file" bug, which is preventing even people who do remember their security answer to log in.
- nonpromqueen, on 10/12/2007, -5/+21"Sorry, we can't help you 'till Monday!"
- inactive, on 10/12/2007, -8/+24yes!!!!!!!!!
i hope those hackers go after WoW servers next. and delete everything.
mass suicides everywhere!!! that will be a great day. - inactive, on 10/12/2007, -3/+19Add to that the fact that only US and UK residents will be getting toll-free numbers. The rest of the world will be making an international call!
- inactive, on 10/12/2007, -7/+22
"All the lindens are working overtime right now to get as much solved as possible."
Overtime? They're all at home for the weekend, if you have not noticed! - AlexFitzsimmons, on 10/12/2007, -5/+20Given that this is LL we're talking about, I wouldn't be surprised if they saw the "smoke signals" comment and thought, "Hey, great idea!"
- 1337geek, on 10/12/2007, -2/+15in a way, and only in 1 good way, is this a good thing.It cleans out all the griefer accounts who were too lazy to save their info. Im back in, Im Phix Grayson
- lordfly, on 10/12/2007, -11/+22Why? Would you prefer smoke signals?
- lordfly, on 10/12/2007, -3/+14Well, aside from the obvious google search...
It's a 3d virtual world where the residents create the content rather than the company. It's neat. - micro506, on 10/12/2007, -2/+13You know, that's the first time I've ever heard the "my brother is a uber 1337 haX0r" boast before.
- indyhouse, on 10/12/2007, -4/+14I don't see how two days of investigation and THEN telling everyone their passwords, and possibly their credit card and personal billing information may have been disclosed is good business practice. Companies are expected to act on security breeches immediately. What damage was done while they were "investigating?" The hackers obviously acted covertly, so why would they do something stupid to reveal their tracks? They could have logged into well-known accounts when they were offline and stole code or sent full-perm copies of objects to a wide variety of alts. The things people could do with just our password are mind-boggling. It highlights the stupidity of the current login system though. Your user name IS ALSO your login name? Who in the world at LL thought THAT was a good idea?! I like WoW, where you have a login name known only to you, and all of your accounts are stored under that login name. More crap for hackers to get through, in the unfortuneate case where the company you trust with your private data is actually keeping it on a WORLD-ACCESIBLE WEB SERVER!!!
- geuisteses, on 10/12/2007, -3/+13Beyond this unfortunate security incident, Second Life is a virtual world with over 500,000 regular users. The number of registered is a bit higher, around 650,000 or so but they don't log in that often apparently.
Anyway, Second Life lets you create a completely custom avatar. There is a huge economy measured in the millions of dollars, based on real currency exchange. You have the ability to create an infinite variety of objects, from clothing to buildings, and more. Whats more, unlike every other online multiplayer world, SL respects the ownership rights of its residents. Whatever you create, its yours. You have normal rights under the DMCA to the clothing, or house, or any other object you created. This enables you to sell your products for real money.
Second Life also boasts its own currency, called the Linden. It has an exchange rate, so you can exchange your Lindens for real dollars.
The economy is completely real. There are now people in the game making thousands of dollars a month, some making over $150,000 a year.
You can own land. For more money, you can even buy your own islands, on which you can do anything you want. Rent it out or sell it to other players, etc.
There is a massive in-world culture developing. Musicians, artists, speakers, writers, etc. Its very, very interesting.
Its free to register. Used to be a $10.00 fee, but no longer. I've been a member there for over a year. In-world name is Geuis Dassin.
Give it a try, you won't look back. - inactive, on 10/12/2007, -2/+11@zzzzbest
How exactly would LL decrypt an MD5 to use it for payment? - invinciblechunk, on 10/12/2007, -2/+11This is a serious and ongoing problem with Second Life. I once lost money due to a bug in their system on a Friday evening. Bad time for anything to go wrong.
A real professional company with "600K users" could at least staff someone on the phones on weekends. - MacAngelus, on 10/12/2007, -2/+11I keep hearing that griefers will be screwed by this.
This is not really the case. Thanks to the totally open and unsecure verification process those griefers can have a new account ready to go before we can reset our password. And they will get the bonus of a clean (no ar's) slate to start all over with. - nonpromqueen, on 10/12/2007, -1/+10"Our forensic investigation began on September 6, 2006. Based on this investigation, the intrusion attempts may have started as early as September 3, 2006. However, we have not found evidence of successful database access occurring before September 5, 2006. On September 6, 2006, unusual activity in our database logs revealed the attack to Linden Lab, and we investigated, found and closed the intrusion on the same day."
- nonpromqueen, on 10/12/2007, -6/+14Smoke signals are the latest craze.
- diggumjonez, on 10/12/2007, -6/+14and it should be noted that, apart from designing a potentially fun environment, Linden Labs billing support policies are idiotic. They'd rather spend their time not informing users about major security breaches than to take a few minutes to respond to billing questions.
- Shmoo, on 10/12/2007, -3/+11I certainly don't trust Second Life with my private information anymore. I am seriously considering just deleting my account.
- nonpromqueen, on 10/12/2007, -7/+15No, I'd prefer open forums, with updates on how they're going to fix this mess.
- BSpolice, on 10/12/2007, -0/+7HA! I knew I was right not to give them my cc info.
- lmmz, on 10/12/2007, -1/+7Sl users are crying for answers on this. And getting none. Are the credit card numbers safe? This is turning into a sizeable black eye for Linden Lab.
- ajbalash, on 10/12/2007, -6/+12"On September 6 we discovered evidence that an intruder was able to access the Second Life database through the web servers. The exploit was shut down on the afternoon of September 6 when we discovered it."
Looks like they did something about it right when they found it to me. - indyhouse, on 10/12/2007, -0/+6Here's the text of the email being sent to all Second Life users:
Hello Second Lifers,
As announced on our website at http://secondlife.com/corporate/bulletin.php and corporate blog at http://blog.secondlife.com/?tag=security, Second Life discovered an attack on our servers on September 6, 2006. The full security bulletin is reprinted below, followed by a FAQ that includes important security advice for our community.
===================
SECURITY BULLETIN
*SAN FRANCISCO, CA. (September 8, 2006)* - Linden Lab reported today that it is notifying its community of a database breach, which potentially exposed customer data including the unencrypted names and addresses, and the encrypted passwords and encrypted payment information of all Second Life users. Unencrypted credit card information, which is stored on a separate database, was not compromised.
The breach was discovered on September 6, 2006 and promptly repaired. The company then launched a detailed investigation that revealed an intruder was able to access the Second Life databases utilizing a "Zero-Day Exploit" through third-party software utilized on Second Life servers. Due to the nature of the attack, the company cannot determine which individual data were exposed. The company's technical investigation is ongoing.
"We're taking a very conservative approach and assuming passwords were compromised and therefore we're requiring users to change their Second Life passwords immediately," said Cory Ondrejka, CTO of Linden Lab. "While we realize this is an inconvenience for residents, we believe it's the safest course of action. We place the highest priority on protecting customer data and will continue to take aggressive measures to protect the privacy and security of the community."
Linden Lab advises all users to take appropriate precautions against misuse of personal information. To reduce the risk of fraud, Linden Lab will not contact individuals by phone or any other method asking for private information unless it is in response to an inquiry from the individual user.
===================
FREQUENTLY ASKED QUESTIONS
Q: I can't log in to Second Life. How can I regain login access?
A: As a security precaution, all Second Life account passwords have been invalidated. You need to establish a new password in order to log in. You can receive instructions for changing your password by visiting http://secondlife.com/password. Please note that we are updating the password request process - if you have recently tried that page and could not change your password, please try again.
Q: Was my account information compromised?
A: We discovered that a database was accessed by the intruder, and we are able to determine the aggregate size of the data that was downloaded through the intrusion. The database accessed includes customer account information, including Second Life account names, real-life name and contact information in unencrypted form. Account passwords and payment information (consisting of credit card numbers and Paypal transaction IDs) are stored in this same database in encrypted form. However, there is no way to identify which data were accessed at the level of individual users, only the aggregate size of the downloads returned from the intruding database queries. We are conducting further investigation to try to determine the class of data exposed.
Q. Is my information still at risk from another attacker?
A: The compromised system was rebuilt and made more secure. We will be announcing additional plans for security improvements in a post to come on our blog, at http://blog.secondlife.com/?tag=security.
Q: Should I be concerned that encrypted password and encrypted payment information may have been exposed? Is the encryption unbreakable?
A: We use an MD-5 hash (scramble function) and salt (additional data) to encode passwords and payment information, an industry standard technique that is commonly regarded as difficult to defeat. However, no hash or encryption is unbreakable, given enough time and computing power. If you believe that you may be the victim of credit card fraud, you should contact your credit card company. If you use your Second Life password on other websites, online services, or any other services, you should change the password on that service as well. You can find additional tips for protection of your identity online at http://www.privacy.ca.gov/sheets/cis1english.htm.
Q: What kind of attack was used to gain access to the Second Life databases? Has the identity of the attacker been established?
A: We have gathered a significant amount of information regarding the attack and the attacker. However, because the investigation is ongoing, we cannot provide very detailed information regarding the type of attack or identity of the attacker. We can disclose that the intrusion path took advantage of a "zero-day exploit" in third-party web software.
Q: What was the timing of the attack and Linden Lab's investigation?
A: Our forensic investigation began on September 6, 2006. Based on this investigation, the intrusion attempts may have started as early as September 3, 2006. However, we have not found evidence of successful database access occurring before September 5, 2006. On September 6, 2006, unusual activity in our database logs revealed the attack to Linden Lab, and we investigated, found and closed the intrusion on the same day. At that point, there was no evidence that databases containing customer identity information had been compromised. For the following two days, the focus of our investigation was to determine the extent of the database access and the nature of the data downloaded from our system. On September 8, 2006, we concluded that there was a substantial likelihood that customer account information could have been accessed. The investigation is ongoing and we will report further results as they become available at http://blog.secondlife.com/?tag=security.
Sincerely,
Linden Lab and the Second Life team - corsar, on 10/12/2007, -0/+6deleting your account now won't help you.the hacker(s) already has the data.
hackers share their "conquests" on private forums, so many people have this data now. - richmastaplus, on 10/12/2007, -0/+6looks like 642,720 people will not only have a second life, they'll have a third, the identity this hacker just stole from them
- YourTechSupport, on 10/12/2007, -1/+7A Zero-Day Exploit is when a hacker takes advantage of a published security flaw the day it becomes known. It's possible this is related to another known breach in the vBulletin forums, which are loosely tied into Accounts.
- donpdonp, on 10/12/2007, -1/+7to zzzzbest: its unclear whether "just personal details" were copied.
"database was compromised, potentially including Second Life account names, real life names and contact information, along with encrypted account passwords and encrypted payment information."
I take that to mean encrypted credit card info was stolen, in encrypted form.
"No unencrypted credit card information is stored on the database in question."
well of course, if the info is encrypted then this is trying to make the situation sound better than it is. None of their databases should have unencrypted credit card information.
"Unencrypted credit card information has not been compromised."
If you _have no_ unencrypted credit card info, then yeah this is painfully obvious. again this sounds more like a distraction tactic than a forthright deliberation.
if encrypted passwords were part of the database, and they're making everyone change their password, my guess is the encryption technique was not very strong and possibly the CC information was encrypted the same way. - SkyGoodnight, on 10/12/2007, -1/+6I guess this means I am going to have to keep a good eye on all my accounts associated with Linden Labs. I wonder if or how long it will be until we here from the folks who have missing cash from their banks or PayPal accounts?
- STKD, on 10/12/2007, -2/+7This is idiotic. Forced pass resets on the accounts require the "security question" to be answered. In my case I set something relatively obscure to - irony coming - make sure things like this didn't happen. Over 6 months ago. Now I can't remember it and am thus locked out of my account, losing all my hard-made custom items, cash, avatar.
This *really* sucks. Thousands of people are going to have the same problem.
So long Second Life. - logic7, on 10/12/2007, -1/+6I got an email from Linden Labs about the breach five hours ago. And i am *not* an active Second Life user, just tried it out once and decided i didn't like it.
And by the way, Linden Labs: Thank you for forcing me to enter my credit card data in order to create a "free" account to test your software. I see now my sensitive data is in good hands. A**holes!! - lmmz, on 10/12/2007, -1/+6Apparently, Linden Lab has decided to try and help the locked-out users before Monday.
Robin Linden says: "We should have a way that you can manually reset your password, even if you don't remember your security question, later this evening. Our web team has not gone home, but is rebuilding the security validation as I write."
I don't know if the exposure here on DIGG had anything to do with the decision, but THANKS to everyone who dugg the story! - geuisteses, on 10/12/2007, -4/+9I would like to add Im glad I used one of those throw-away credit cards in order to register my account. Pretty much most purchases I do online I run to the check cashing store and load up some dollars to buy online. The extra $1.00 fee per transaction from the CC company is worth my financial security online. Notice, only do this with bigger transactions cause those $1.00 charges can add up fast.
- indyhouse, on 10/12/2007, -1/+5Just quoting the official Linden blog there, moeity. After all, that is the only "official" line of communication from Linden Lab these days.
- Agret, on 10/12/2007, -0/+4" Notice, only do this with bigger transactions cause those $1.00 charges can add up fast."
So why'd you do it with Second Life? You have to keep buying in-game money with your credit card and it's going to cost you an extra $1 for each purchase.... - Ulrika, on 10/12/2007, -2/+6@moonwell: I believe it was submitted to Security, which is clearly appropriate.
- justconnor, on 10/12/2007, -1/+5How does a team this big and this good at coding not notice a bunch of people getting into their *****? Now they have screwed up more peoples stuff than their own...
- indyhouse, on 10/12/2007, -1/+4@ YourTechSupport: Yeah, that's what I thought. I know from my interactions with some people I've met in-world that there is going to a good number of people that will have no clue what happened.
- duhblow7, on 10/12/2007, -2/+5SB 1386
http://www.oit.ucsb.edu/committees/itpg/sb1386.asp - YourTechSupport, on 10/12/2007, -1/+4You'd hope they at least used SHA-xxx where x is a very high number.
- invinciblechunk, on 10/12/2007, -0/+3You answered your own question. Linden Lab are amateurs.
- indyhouse, on 10/12/2007, -1/+4Which leads me to ask the question "What is a zero-day exploit?" ... and why does Linden Lab throw the term around like everyone and their mother is supposed to know what it is?
- simd, on 10/12/2007, -0/+3"deleting your account now won't help you.the hacker(s) already has the data."
Well indeed, but I won't trust them with any MORE of my personal data, such as the new credit card number I'm going to have to get. - EmmEff, on 10/12/2007, -0/+3This is EXACTLY the reason why I refused to give them credit card info even though they weren't going to bill for the free account...
- simd, on 10/12/2007, -0/+3"A Zero-Day Exploit is when a hacker takes advantage of a published security flaw the day it becomes known."
Which unfortunately also suggests the hacker is a professional in touch with the security / hacking community. - simd, on 10/12/2007, -0/+3As has been pointed out, the credit card information must have been stored in such a way as it could be unencrypted, otherwise how could they retrieve the number to bill it? So the chances of it being compromised are VERY high. I'm phoning my bank now.
-
Show 51 - 92 of 92 discussions
Browsing Digg on your phone just got easier with our enhancements to the 
© Digg Inc. 2009
— Content created and posted by Digg users is